Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Alerts: Avaddon Ransomware Attacks Increasing

FBI and Australian Officials Describe the Threat
Alerts: Avaddon Ransomware Attacks Increasing

Attackers are using Avaddon ransomware to target diverse organizations in the U.S., Australia and elsewhere, according to the FBI and the Australian Cyber Security Center.

See Also: Mandiant Cyber Crisis Communication Planning and Response Services

The agencies warn that an ongoing campaign is hitting manufacturers, airlines, healthcare organizations and others.

Avaddon ransomware, first promoted on Russian-language hacking forums as a ransomware-as-a-service offering, was subsequently used in cybercriminal campaigns, the ACSC says in its recent alert.

The gang behind Avaddon ransomware recently stole SIM card data and banking information in an attack on Schepisi Communications, a service provider to Australian telecommunications company Telstra (see: Ransomware Hits Australian Telecom Provider Telstra’s Partner)

Attack Analysis

Avaddon is spread via phishing and malicious spam campaigns that deliver malicious JavaScript files, the ACSC says.

"These are often low in sophistication, containing a threat suggesting the attached file contains a compromising photo of the victim," the Australian agency says. "'Double extortion' techniques are used, such as coercion and further pressure to pay a ransom, including threatening to publish the victim’s data … and threatening the use of DDoS attacks against the victims."

Written in C++, Avaddon encrypts data using a unique AES256 encryption key, the agency reports. During the infection process, Avaddon checks the operating system language and keyboard layouts. If a potential victim’s operating system language is set to specific languages normally used in the Commonwealth of Independent States - formerly part of the Soviet Union - the malware ceases operation without harming the system.

In addition, the operators behind Avaddon apply the GetUserDefaultLCID() function to identify the default geolocation and system language of the user’s device to determine whether the user will be targeted for attack. This technique has also been observed in ransomware campaigns using the MedusaLocker variant, ACSC states.

"TTPs for Avaddon are very similar to those identified in use within the Ako and MedusaLocker ransomware variants, including the use of an embedded public key to perform AES-256 encryption on all file data, as well as using a Windows Scheduled Task to establish persistence," the Australian agency notes.

The FBI says in its alert that attackers using Avaddon ransomware have compromised victims by using remote desktop protocol logins or targeting virtual private networks that are misconfigured or use single-factor authentication.

"After Avaddon actors gain access to a victim’s network, they map the network and identify backups for deletion and/or encryption," the FBI says. "The malware escalates privileges, contains anti-analysis protection code, enables persistence on a victim system and verifies the victim is not located in the Commonwealth of Independent States."

The Avaddon attackers use data leak site avaddongun7rngel[.]onion to identify victims who do not pay ransoms, ACSC says. They demand ransom payment via bitcoin, with an average demand of about $40,000 in exchange for a decryption tool, the Australian agency says.

Avaddon Activities

Security firm Trend Micro first spotted Avaddon ransomware in the wild in February 2020. In June 2020, Trend Micro revealed that the strain is spread as a malicious image file in email attachments. When downloaded, the malware encrypts the files in the victims' devices with the .avdn file extension.

"Users will see that their system desktop's wallpaper has been automatically changed to an image that states 'all your files have been encrypted' and refers to the ransom note," Trend Micro noted.

By October 2020, the Avaddon group was reportedly leveraging distributed denial-of-service attacks against victims to force them to pay the ransom.

Recommended Mitigations

To mitigate the threat posed by Avaddon, the FBI recommends:

  • Backing up critical data offline and ensuring copies of critical data are in the cloud or on an external hard drive or storage device;
  • Securing backups and ensuring data is not accessible for modification or deletion from the system where it resides;
  • Using two-factor authentication with strong passwords, especially for remote access services.
  • Monitoring cyberthreat reporting regarding the publication of compromised VPN login credentials.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.